The present invention relates to a cryptographic method between a portable data carrier and a terminal device, and to an accordingly adapted data carrier and a terminal device.
A portable data carrier, for example in the form of an electronic identity document, comprises an integrated circuit with a processor and a memory. The memory stores data relating to a user of the data carrier. On the processor there can be executed a cryptography application via which the data carrier can set up a secure communication connection with the terminal device. Further, the cryptography device can support an authentication of the data carrier to the terminal device, in the case of an identity document for example upon a border control or the like.
During such a cryptographic method, a secure data communication between the data carrier and the terminal device is prepared by a secret communication key for symmetric encryption of a subsequent data communication being agreed on, for example by means of the well-known Diffie-Hellman key exchange method or other suitable methods. Further, at least the terminal device normally verifies the authenticity of the data carrier, for example using a certificate.
For carrying out a method for agreeing on the secret communication key, it is necessary that the terminal as well as the data carrier respectively supply a secret key and a public key. The certificate of the data carrier can relate for example to its public key.
Different methods and protocols are known which support the setup of a secure communication connection between a portable data carrier and a terminal device. A key exchange method based on session-specifically dynamically generated keys can be additionally secured in a password-based manner. The password used may be a secret datum, for example a PIN, a biometric feature, e.g. a fingerprint, or the like. The password is normally stored in the data carrier, on the one hand, and supplied to the terminal device in a suitable manner in the course of the method, on the other hand. The password can be input to the terminal device e.g. by a user of the data carrier by means of an input device, for example by means of a keyboard, a sensor for biometric data, or the like. According to another embodiment, the password, for example a PIN, can be applied to the data carrier so as to be optically readable and be sensed accordingly by the terminal device. Thus it is ensured that a legitimate user of the data carrier approves the use of the data carrier within the framework of the method, by inputting the password or at least presenting the data carrier such that the password can be read out by the terminal device. An unwanted data communication, for example by contactless means, can thus be ruled out. However, such a method does not enable a mutual authentication of data carrier and terminal.
Known methods for authenticating a data carrier to the terminal device or for authenticating the terminal device to the data carrier cannot provide the security of password-based methods, however. Such authentication methods are based for example on the employment of digital certificates.